diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6f5c7f72..5a9cf993b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@
 
 ## Unreleased: mitmproxy next
 
+* Use newer cryptography APIs to avoid CryptographyDeprecationWarnings.
+  This bumps the minimum required version to cryptography 42.0.
+  ([#6718](https://github.com/mitmproxy/mitmproxy/pull/6718), @mhils)
 
 
 ## 06 March 2024: mitmproxy 10.2.3
diff --git a/mitmproxy/certs.py b/mitmproxy/certs.py
index b054acf42..00e232c01 100644
--- a/mitmproxy/certs.py
+++ b/mitmproxy/certs.py
@@ -100,15 +100,12 @@ class Cert(serializable.Serializable):
 
     @property
     def notbefore(self) -> datetime.datetime:
-        # TODO: Use self._cert.not_valid_before_utc once cryptography 42 hits.
-        # x509.Certificate.not_valid_before is a naive datetime in UTC
-        return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
+        # type definitions haven't caught up with new API yet.
+        return self._cert.not_valid_before_utc  # type: ignore
 
     @property
     def notafter(self) -> datetime.datetime:
-        # TODO: Use self._cert.not_valid_after_utc once cryptography 42 hits.
-        # x509.Certificate.not_valid_after is a naive datetime in UTC
-        return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
+        return self._cert.not_valid_after_utc  # type: ignore
 
     def has_expired(self) -> bool:
         if sys.version_info < (3, 11):  # pragma: no cover
diff --git a/pyproject.toml b/pyproject.toml
index 50ecc9336..597c5dfb8 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -35,7 +35,7 @@ dependencies = [
     "asgiref>=3.2.10,<3.8",
     "Brotli>=1.0,<1.2",
     "certifi>=2019.9.11",  # no semver here - this should always be on the last release!
-    "cryptography>=39.0,<42.1",
+    "cryptography>=42.0,<42.1",
     "flask>=1.1.1,<3.1",
     "h11>=0.11,<0.15",
     "h2>=4.1,<5",